Information processing device and management device

ABSTRACT

An information processing device which transmits and receives a message to which a communication ID indicating a class has been assigned, includes: a storage unit which stores, for each of the communication IDs, a communication counter for verifying a recency of a communication; a recency information management unit which updates the communication counter based on a predetermined condition; an abnormality monitoring unit which identifies an influence range of an abnormality that occurred; and a message generation unit which generates a synchronization request message including the communication ID indicating that it is a message requesting a synchronization of the communication counter, and a synchronization target identifier indicating the influence range identified by the abnormality monitoring unit.

TECHNICAL FIELD

The present invention relates to an information processing device and amanagement device.

BACKGROUND ART

As a representative standard protocol in an in-vehicle network ofautomobiles, a CAN (Controller Area Network) (registered trademark) isin widespread use. With this kind of in-vehicle network, for instance,there is a risk of an illegal device being connected to an interfacesuch as an OBD2 (On-Board-Diagnostics 2) port which is directlyconnected to the in-vehicle network, and an illegal message beingtransmitted to the in-vehicle network. The communication data of the CANdoes not have a field indicating the origin (source address),impersonation is easy, and is particularly vulnerable to replay attacks.A replay attack is the attack of wiretapping messages being transmittedon the communication path and acquiring such messages in advance, andcausing illegal operations by retransmitting the acquired messages.

Normally, in order to deal with this kind of threat, it is effective toutilize a message authentication code (MAC) as a falsification detectioncode in the message being transmitted between the respective informationprocessing devices, and perform message authentication by also givingconsideration to measures against retransmission attacks. Nevertheless,when applying message authentication which gives consideration tomeasures against retransmission attacks in an in-vehicle system, forexample, when an abnormality, such as an unexpected reset operation,occurs in the information processing device, the synchronization of thecommunication counter values being shared between the informationprocessing device in a transmission/reception relationship will becomeunsynchronized. As a result, there is a problem in that the informationprocessing device will not be able to properly verify the receivedmessage.

PTL 1 discloses a communication system comprising a plurality of nodesconnected to each other, wherein each node generates a messageauthentication code by using a count value of a counter, and a messagetransmitted and received between the nodes is verified by using themessage authentication code, the communication system comprising: anupper count value retention unit in which one of the nodes is deemed amanagement node, the nodes that transmit and receive the message aredeemed a normal node, an upper side upon dividing the count value of thecounter into halves is deemed an upper count value and a lower sidethereof is deemed a lower count value, and the management node retainsthe upper count value; an upper count value updating unit which updatesthe upper count value according to a pre-set upper updating condition;and an upper count value distribution unit which distributes the uppercount value retained in the upper count value retention unit to thenormal node according to a pre-set distribution condition, wherein thenormal node comprises a count value retention unit which retains thecount value; a lower updating unit which updates the lower count valueretained in the count value retention unit according to a pre-set lowerupdating condition; an upper updating unit which updates the upper countvalue retained in the count value retention unit by using the uppercount value distributed from the management node; and a lowerinitialization unit which initializes the lower count value when theupper count value is updated by the upper updating unit.

CITATION LIST Patent Literature

[PTL 1] Japanese Unexamined Patent Application Publication No.2017-38365

SUMMARY OF THE INVENTION Problems to be Solved by the Invention

With the invention described in PTL 1, it is not possible to target onlya specific device to be synchronized.

Means to Solve the Problems

According to the 1st aspect of the present invention, an informationprocessing device which transmits and receives a message to which acommunication ID indicating a class has been assigned, includes: astorage unit which stores, for each of the communication IDs, acommunication counter for verifying a recency of a communication; arecency information management unit which updates the communicationcounter based on a predetermined condition; an abnormality monitoringunit which identifies an influence range of an abnormality thatoccurred; and a message generation unit which generates asynchronization request message including the communication IDindicating that it is a message requesting a synchronization of thecommunication counter, and a synchronization target identifierindicating the influence range identified by the abnormality monitoringunit.

According to the 2nd aspect of the present invention, a managementdevice which relays a communication of communication segments to whichthe information processing device according to the 1st aspect isconnected, wherein: a plurality of the information processing devicesare disposed by being divided into two or more segments; the managementdevice includes: a communication unit which communicates with each ofthe two or more segments; and a transfer unit which, upon receiving thesynchronization request message, transfers the synchronization requestmessage only to the segment to which belongs the information processingdevice to synchronize the communication counter based on thesynchronization request message.

Advantageous Effects of the Invention

According to the present invention, it is possible to target only aspecific device to be synchronized.

BRIEF DESCRIPTION OF DRAWINGS

FIG. 1 is a diagram showing a configuration of the informationprocessing device 1 according to the first embodiment.

FIG. 2 is a diagram showing an example of the information stored in theRAM 19B.

FIG. 3 is a diagram showing an example of the influence rangeinformation 191.

FIG. 4 is a diagram showing an example of the recency-relatedinformation 192.

FIG. 5 is a diagram showing an example of the structure of thesynchronization request message.

FIGS. 6A and 6B are diagrams showing an example of the data structure ofthe synchronization target identifier 702.

FIG. 7 is a diagram showing an example of the communication-relatedinformation 193.

FIG. 8 is a diagram showing a re-synchronization processing sequence ofthe communication counter value.

FIG. 9 is a flowchart showing the detailed processing from step 211 tostep 216 of FIG. 8 .

FIG. 10 is a flowchart showing the detailed processing from step 231 tostep 235 of FIG. 8 .

FIG. 11 is a configuration diagram of a network N including theinformation processing device 1 according to the second embodiment.

FIG. 12 is a configuration diagram of the management device 950.

FIG. 13 is a flowchart showing the operation of the transfer unit 952 ofthe management device 950.

DESCRIPTION OF EMBODIMENTS First Embodiment

The first embodiment of the information processing device is nowexplained with reference to FIG. 1 to FIG. 10 .

Configuration

FIG. 1 is a diagram showing a configuration of the informationprocessing device 1 according to the first embodiment. A firstinformation processing device 1A, a second information processing device1B and a third information processing device 1C are mutually connectedvia a communication bus 2. However, the first information processingdevice 1A, the second information processing device 1B, and the thirdinformation processing device 1C are configured in the same manner. Inthe following explanation, when the first information processing device1A, the second information processing device 1B, and the thirdinformation processing device 1C are not specifically differentiated,they are collectively referred to as “information processing device 1”.Moreover, while FIG. 1 shows three information processing devices 1,four or more information processing devices 1 may also be connected.

The communication bus 2 corresponds, for example, to a CAN. A messagethat flows through the communication bus 2 is assigned a communicationID indicating the class of that message. A message is, for example, aCAN frame, and a communication ID is, for example, a CAN-ID. In otherwords, a message is synonymous with a frame, a datagram, a packet or thelike.

The information processing device 1 comprises a communication unit 10,an abnormality monitoring unit 11, an abnormality detection unit 11A, asynchronization range identification unit 12, a recency informationmanagement unit 13, a recency information calculation unit 14, a messagegeneration unit 15, a synchronization processing execution determinationunit 16, a recency information verification unit 17, a messageverification unit 18, a synchronization processing control unit 19, astorage unit 19A, and a RAM 19B. The communication unit 10 receivesmessage from other information processing devices 1 and transmitsmessages to other information processing devices 1 via the communicationbus 2.

The synchronization recovery processing-related information storage unit19A stores influence range information 191, recency-related information192, and communication-related information 193 which are informationrelated to the synchronization recovery processing. The influence rangeinformation 191 is information indicating the detected abnormality andthe range influenced by that abnormality. The recency-relatedinformation 192 is information in which a synchronization counter to beupdated during the synchronization recovery processing described later,and a communication counter to be updated each time communication isperformed, are each recorded for each communication ID. Thecommunication-related information 193 is information indicating thedevice to receive the communication for each communication ID.

The influence range information 191 and the communication-relatedinformation 193 may be of subject matter that is common among allinformation processing devices 1 connected to the communication bus 2,or may include information which is essential for each informationprocessing device 1. In the scope explained in this embodiment, theinformation stored in the influence range information 191 and thecommunication-related information 193 is fixed; in other words, it isnot updated. With the recency-related information 192, values areindependently updated for each information processing device 1. Morespecifically, a value of the synchronization counter and a value of thecommunication counter are updated for each information processing device1. Note that, so as long as the processing is being performed normally,all information processing devices 1 will have the same value.

Allocated in the RAM 19B are a a plurality of communication ID slots anda plurality of device ID slots, which are storage areas, and acommunication ID and a device ID are stored therein, respectively. Theinformation stored in the RAM 19B is the same in all informationprocessing devices 1 connected to the communication bus 2. Thus, bypreparing only a few slots and storing, in each slot, information thatis longer than the identifying information of the slot, the total amountof communication data that flows though the communication bus 2 can bereduced. An example of the information stored in the RAM 19B will bedescribed later. However, the information to be stored in the RAM 19Bmay also be stored in a cache memory of a CPU not shown or the storageunit 19A.

The abnormality monitoring unit 11 detects an abnormality based on theinfluence range information 191. The abnormality detection unit 11Adetects an abnormality and then creates an abnormality code 1911described later. The synchronization range identification unit 12 usesthe influence range information 191 and identifies a synchronizationrange. The recency information management unit 13 manages therecency-related information 192. The recency information calculationunit 14 calculates new recency information within the range designatedby the synchronization range identification unit 12. The messagegeneration unit 15 generates a message including control data or amessage including a synchronization request to be transmitted to theother information processing devices via the communication unit 10. Inthe following explanation, a message including a synchronization requestis referred to as a “synchronization request message”. A specificexample of the synchronization request message will be described later.Moreover, in this embodiment, any message other than the synchronizationrequest message is referred to as a “normal message”.

The synchronization processing execution determination unit 16determines whether the received synchronization request message isrelated to itself. The recency information verification unit 17 verifiesthe recency of the received message. The message verification unit 18verifies the completeness of the communication message. Thesynchronization processing control unit 19 registers, as new recencyinformation, the value of the recency-related information 192 that isset according to predetermined rules using the recency informationmanagement unit 13 when the various verification results are correct.The communication counter included in the recency-related information192 is read from a nonvolatile memory into a volatile memory when it isactivated, and may be stored in the nonvolatile memory when it isdeactivated.

The communication unit 10 is configured, for example, by includinghardware for performing communication such as a communication modulecorresponding to a CAN. The storage unit 19A is a non-volatile storagedevice such as a flash memory.

The abnormality monitoring unit 11, the abnormality detection unit 11A,the synchronization range identification unit 12, the recencyinformation management unit 13, the recency information calculation unit14, the message generation unit 15, the synchronization processingexecution determination unit 16, the recency information verificationunit 17, the message verification unit 18, and the synchronizationprocessing control unit 19 are realized by a CPU, which is a centralprocessing unit (not shown) equipped in the information processingdevice 1, executing programs. The respective programs may be stored inadvance in a memory (not shown) or a ROM (Read Only Memory) in theinformation processing device 1, or, by providing an input/outputinterface to the information processing device 1 in advance, therespective programs may also be read into a nonvolatile memory or a ROMfrom other devices via a medium that can be used by the input/outputinterface and the information processing device 1 as needed. Here, a“medium” means, for example, a storage medium that can be attached toand detached from the input/output interface, or a communication medium(that is, a wired, wireless or optical network, or carrier waves ordigital signals that propagate through such network).

However, the abnormality monitoring unit 11, the abnormality detectionunit 11A, the synchronization range identification unit 12, the recencyinformation management unit 13, the recency information calculation unit14, the message generation unit 15, the synchronization processingexecution determination unit 16, the recency information verificationunit 17, the message verification unit 18, and the synchronizationprocessing control unit 19 may also be realized with an FPGA (FieldProgrammable Gate Array), which is a rewritable logic circuit, or anASIC (Application Specific Integrated Circuit), which is an integratedcircuit for a specific application. Moreover, these may be realized witha combination of a different configuration in substitute for thecombination of a CPU, a ROM, and a RAM; for instance, the combination ofa CPU, a ROM, a RAM and an FPGA.

Slot

FIG. 2 is a diagram showing an example of the information stored in theRAM 19B. The RAM 19B stores, regard to the communication ID slot and thedevice ID slot, respectively, a combination of a slot ID and acommunication ID, and a combination of a slot ID and a device ID. Forexample, there are slot IDs 1 to 16 that can be expressed in 4 bits, andthe information quantity of the communication ID or the device IDcorresponding to each slot ID; that is, the bit length of thecorresponding data, is longer than the bit length of the slot ID.

The communication ID is information having a predetermined length and,for example, has a length of 11 bits. Here, considered is a case ofincluding information of the communication ID in the payload of thecommunication message. When including the communication ID as is in thepayload, the payload will invariably be 11 bits or more. Nevertheless,when the slot ID of the communication ID slot storing the communicationID is used in the payload in substitute for the communication ID, thiscan be reduced to a small data volume, for example, 4 bits. Note thatFIG. 2 is merely an example, and the slot ID may be more than 4 bits,and the slot ID of the communication ID slot and the slot ID of thedevice ID slot may be independent.

Influence Range Information 191

FIG. 3 is a diagram showing an example of the influence rangeinformation 191. The influence range information 191 is configured froma plurality of records, and each record is configured from anabnormality code 1911, an abnormality description 1912, an abnormalityinfluence range code 1913, and an influence range 1914. The abnormalitycode 1911 is a code defined for each type of abnormality that occurs.The abnormality description column 1912 shows the type of abnormalitythat occurred. The abnormality influence range code 1913 shows the codedefined for each range that is influenced by the abnormality thatoccurred. The influence range 1914 shows the range of influence.

The influence range 1914 is, for example, a communication ID on its own,a combination of communication IDs, all communication IDs to be managedin the information processing device, a network domain, or the overallin-vehicle system. For example, when the power is lost at an unexpectedtiming, the information processing device 1 identifies the influencerange based on the abnormality influence range code 1913 with regard tothe abnormality code 1911 of “0x101”. Moreover, when it is determinedthat the abnormality influence range code 1913 is “0xf03”, rather thanexecuting the synchronization recovery processing, for example, it wouldbe desirable to switch to a degenerate operation, and safely park thevehicle.

Recency-Related Information 192

FIG. 4 is a diagram showing an example of the recency-relatedinformation 192. The recency-related information 192 includes recencyinformation 1923 for each communication ID 1921. The recency information1923 is configured from a synchronization counter 1924 and acommunication counter 1925. In the example shown in FIG. 4 , the upperbit of the recency information 1923 is used as the synchronizationcounter 1924, and the lower bit is used as the communication counter1925.

Synchronization Request Message

FIG. 5 is a diagram showing an example of the structure of thesynchronization request message generated by the message generation unit15. The synchronization request message is configured from asynchronization request communication ID 701, a synchronization targetidentifier 702, recency information 703, and a MAC 704. Thesynchronization request communication ID 701 is an identifier indicatingthat it is a communication message for a synchronization request. Thesynchronization target identifier 702 is an identifier indicating thetarget to receive this synchronization request message and execute thesynchronization recovery processing. The recency information 703indicates the recency information 1923 updated in step 213, or thesynchronization counter 1924 included in the recency information 1923.The MAC 704 is a message authentication code (MAC) calculated using thesynchronization request communication ID 701, the synchronization targetidentifier 702, the recency information 703, and a pre-shared key (notshown). However, the calculated MAC may be used as the MAC 704 as is, orthe calculated MAC may be encrypted based on AES 128 or the like andthen used as the MAC 704.

Synchronization Target Identifier 702

FIG. 6 is a diagram showing an example of the data structure of thesynchronization target identifier 702 shown in FIG. 5 . FIG. 6A shows anexample where the synchronization request communication ID can beassigned to each information processing device, and FIG. 6B shows anexample where the synchronization request communication ID cannot beassigned to each information processing device. When the synchronizationrequest communication ID can be assigned to each information processingdevice, for example, the communication ID of the synchronization requestfrom the first information processing device 1A to the secondinformation processing device 1B, the communication ID of thesynchronization request from the first information processing device 1Ato the third information processing device 1C, and the communication IDof the synchronization request from the third information processingdevice 1C to the second information processing device 1B will all bedifferent.

The configuration when the synchronization request communication ID 701can be assigned to each information processing device is foremostexplained with reference to FIG. 6A. In the foregoing case, the IDcorresponding to the information terminal device to be synchronized isthe synchronization request communication ID 701, the range ofrecovering the synchronization is the synchronization range 801, and theID of the slot for identifying the communication ID to be synchronizedis the synchronization target slot 802. However, the synchronizationrange 801 takes on a value of “0” or “1”, and the interpretation of thevalue stored in the synchronization target slot 802 will differdepending on the value of the synchronization range 801.

When the value of the synchronization range 801 is “0”, this indicatesthat the synchronization range is to be set in units of thecommunication ID, and when the value of the synchronization range 801 is“1”, this indicates that the synchronization range is to be set in unitsof the information processing device of the communication destination.When the value of the synchronization range 801 is “0”, information ofthe slot ID for identifying the communication ID is stored in thesynchronization target slot 802. For example, the slot ID of thecommunication ID slot indicating the communication ID to be synchronizedmay be stored, or bits indicating whether or not it is a target may bearranged for each slot ID of the communication ID slot. For example,when the communication IDs “0x250” and “0x7ff” are the targets in theexample shown in FIG. 2 , this may be “2, 4” as the target slot IDs, orthis may be “0101” by representing the targets as “1” in the order ofslot IDs 1 to 4.

When the value of the synchronization range 801 is “1”, the value of thecommunication ID slot to be synchronized will be “0”, and allcommunication IDs related to the information processing devicesindicated by the synchronization request communication ID 701 will besynchronized. The specific communication IDs to be synchronized aredetermined by the information processing devices 1 that received thesynchronization request message.

The configuration when the synchronization request communication ID 701cannot be assigned to each information processing device is nowexplained with reference to FIG. 6B. In the foregoing case, thesynchronization target identifier 702 is configured from asynchronization range 801, a synchronization target slot 802, and adevice ID 803. The device ID 803 stores identifiers capable ofdifferentiating the respective information processing devices. Note thatthe synchronization target identifier merely needs to be able toidentify the corresponding information processing device andcommunication ID, and may be combined with the synchronization requestcommunication ID 701 as a single identifier.

Communication-Related Information 193

FIG. 7 is a diagram showing an example of the communication-relatedinformation 193. The communication-related information 193 indicates thecorrespondence of the communication ID and the information processingdevice 1 of the communication destination. The communication-relatedinformation 193 is configured from a communication ID 1931, and acommunication destination information processing device 1932. Thecommunication ID 1931 stores a communication ID, and the communicationdestination information processing device 1932 stores the name or thelike of the information processing device which transmits/receives acommunication message using the communication ID 1931. For example, whenthe device ID 803 included in the synchronization target identifier 702indicates “information processing device 1”, the information processingdevice that received the synchronization request message determines thatthe next communication ID needs to be synchronized. In other words, thethree communication IDs of “0x001”, “0x010”, and “0x014” linked to“information processing device 1” are determined as the synchronizationtargets.

Processing of Normal Message

The processing of a normal message; that is, any message other than thesynchronization request message, is now explained. For example, when themessage generation unit 15 of the information processing device 1 is totransmit control data, the message generation unit 15 generates amessage including the communication ID, control data, value of thecommunication counter, and the MAC. The value of the communicationcounter included in this message corresponds to the communication ID tobe transmitted, and is the value stored in the recency-relatedinformation 192. However, immediately before the message generation unit15 reads the value of the communication counter, the recency informationmanagement unit 13 increments the value of the communication counter ofthe communication ID by one.

Moreover, the MAC included in a normal message is the messageauthentication code calculated by using a pre-shared key (not shown)with that normal message's communication ID, control data, and value ofthe communication counter as the processing targets. Upon receiving anormal message, the message verification unit 18 and the recencyinformation verification unit 17 of the information processing device 1confirms the completeness of the message. Once the completeness isconfirmed, control using the control data included in the normal messageis performed, and, if the completeness cannot be confirmed, that messageis discarded. Note that the order of operating the message verificationunit 18 and the recency information verification unit 17 is arbitrary,and may be simultaneous. Completeness is confirmed only when it isconfirmed that there is no problem based on the verification of themessage verification unit 18 and the recency information verificationunit 17.

The recency information verification unit 17 reads, from therecency-related information 192, the value of the communication countercorresponding to the communication ID of the received normal message.When the value of the normal counter included in the received normalmessage is newer; that is, greater, than the read value, it isdetermined that the recency has been confirmed. However, when thedifference between the two is greater than a predetermined threshold, itis also possible to determine that the recency has not been confirmed ongrounds that an unduly large value has been transmitted.

Verification of the MAC by the message verification unit 18 is performedas follows. The message verification unit 18 foremost calculates the MACusing a pre-shared key (not shown) with the communication ID, controldata, and recency information included in the received normal message asthe processing targets. Subsequently, the message verification unit 18determines whether the calculated MAC and the MAC included in thereceived normal message coincide. The message verification unit 18determines that there is no problem when the two coincide, anddetermines that a problem has occurred; that is, that an illegal messagehas been sent, when the two do not coincide.

Overview of Re-Synchronization Processing

FIG. 8 is a diagram showing a re-synchronization processing sequence ofthe communication counter value between a request-side device 1P and averification-side device 1Q. Note that the request-side device 1P andthe verification-side device 1Q are names used for the sake convenience,and in effect they are one of the information processing devices 1.

In step 211, the abnormality monitoring unit 11 detects an abnormalitybased on the influence range information 191 generated by theabnormality detection unit 11A, and proceeds to step 212 upon detectingan abnormality. The abnormality monitoring unit 11 may confirm theinfluence range information 191 at the time that it is activated, orperiodically confirm the influence range information 191, or confirm theinfluence range information 191 each time it is to detect anabnormality.

In step 212, the synchronization range identification unit 12 identifiesthe synchronization range based on the abnormality influence range code1913 acquired in step 211. For example, when the abnormality influencerange code 1913 is “0xf02”, the synchronization range identificationunit 12 determines that all communication ID that is is managing will beinfluenced, and identifies all communication IDs included in therecency-related information 192 as the synchronization range.

In subsequent step 213, the recency information management unit 13acquires, from the recency-related information 192, the recencyinformation of the communication IDs related to the synchronizationrange identified in step 212, and the recency information calculationunit 14 calculates new recency information.

For example, when all communication IDs are determined to be thesynchronization targets, in step 213, the recency information managementunit 13 acquires the synchronization counter 1924 linked to allcommunication IDs 1921 registered in the recency-related information192, and the recency information calculation unit 14 calculates newrecency information in which the value obtained by incrementing themaximum value by “1” is used as the upper bit. Note that new recencyinformation may be calculated and updated for each communication ID.Since the new recency information calculated here is written in anotherinformation processing device 1 based on the synchronization processing,such new recency information may also be referred to as recencyinformation “after synchronization”.

In subsequent step 214, the message generation unit 15 calculates theMAC using the recency information updated in step 213 and thesynchronization request communication ID, and generates asynchronization request message including the synchronization targetidentifier, which indicates the target identified as the synchronizationtarget, synchronization request communication ID, recency information,and the MAC. In step 215, the communication unit 10 transmits thesynchronization request message generated in step 214 to otherinformation processing devices via the communication bus 2. Insubsequent step 216, the synchronization processing control unit 19registers the recency information calculated in step 213 in therecency-related information 192.

The verification-side device 1Q executes step 230 upon receiving thesynchronization request message transmitted by the request-side device1P in step 215. In step 230, the verification-side device 1Q refers tothe synchronization request communication ID 701 and the synchronizationtarget identifier 702 of the received synchronization request message,and determines whether or not synchronization is required. Theverification-side device 1Q proceeds to step 231 upon determining thatsynchronization is required, and ends the processing of FIG. 8 upondetermining that synchronization is not required.

In step 231, the verification-side device 1Q performs the following twotypes of processing as the counter processing. In the verification-sidedevice 1Q, the recency information management unit 13 foremost updatesthe communication counter acquired from the communication counter 1925corresponding to the communication ID 1931 according to predeterminedrules. Subsequently, the verification-side device 1Q acquires the valueof the corresponding synchronization counter 1924, and then proceeds tostep 232.

In step 232, the recency information verification unit 17 verifies therecency by comparing the synchronization counter included in the recencyinformation 703 assigned to the received communication message, and thevalue of the synchronization counter 1924 acquired in step 231. To putit differently, the recency information verification unit 17 confirmswhether the value of the synchronization counter included in thereceived recency information 703 is newer than the value of thesynchronization counter 1924. The verification-side device 1Q proceedsto step 233 when the recency has been confirmed, and ends the processingof FIG. 8 when the recency could not be confirmed.

With regard to the verification of the recency, the value of thereceived recency information 703 can be determined to be the latestvalue when it is greater than the value of the synchronization counter1924. Furthermore, the value of the received recency information 703 maybe determined to the latest only when the difference between the valueof the synchronization counter included in the received recencyinformation 703 and the value of the synchronization counter 1924 iswithin a predetermined threshold. If the difference between the twoexceeds the threshold, it is determined that an illegal counter valuehas been received, and this processing is ended.

Note that the processing shown in FIG. 8 may also be ended when themessage verification unit 18 of the verification-side device 1Q verifiesthe MAC 704 included in the received message and determines that thevalues do not coincide. More specifically, the message verification unit18 calculates the MAC using the value of the synchronization counterincluded in the recency information 703 in which the recency has beenconfirmed, the value of the updated communication counter, and thesynchronization request communication ID 701. Subsequently, the messageverification unit 18 compares the received MAC 704 and the calculatedMAC, and proceeds to step 233 when they coincide, and ends thisprocessing when they do not coincide.

In step 233, the synchronization processing control unit 19 stores, inthe synchronization counter 1924, the value of the synchronizationcounter included in the received recency information 703, and stores, inthe communication counter 1925, the value of the communication counterupdated in step 232. In other words, the value of the synchronizationcounter 1924 is updated based on the processing of this step. Insubsequent step 234, the message generation unit 15 generates asynchronization completion message including the synchronizationcompletion ID and the information processing device ID. In step 235, thecommunication unit 10 transmits the synchronization completion messagegenerated in step 234 to the other information processing devices viathe communication bus 2.

The request-side device 1P executes step 217 upon receiving asynchronization completion message from the verification-side device 1Q.In step 217, the communication unit 10 of the request-side device 1Pcompletes the synchronization recovery processing by using thesynchronization processing control unit 19, and switches to the normalmode.

As explained above, the request-side device 1P transmits asynchronization request message to the verification-side device 1Q, andthe verification-side device 1Q updates the synchronization counter 1924and the communication counter 1925 according to predetermined rules.Consequently, the values of the communication counter 1925 arere-synchronized by the request-side device 1P and the verification-sidedevice 1Q. To put it differently, the values of the communicationcounter 1925 are shared by the request-side device 1P and theverification-side device 1Q.

Details of Synchronization Request Side

FIG. 9 is a flowchart showing the detailed processing from step 211 tostep 216 of FIG. 8 . In step 301, the abnormality monitoring unit 11monitors whether there is an output from the abnormality detection unit11A; that is, whether or not an abnormality has occurred. In step 302,the abnormality monitoring unit 11 proceeds to step 303 when anabnormality is detected in step 301, and proceeds to step 311 when anabnormality is not detected. In step 303, the synchronization rangeidentification unit 12 acquires the abnormality code 1911 output by theabnormality detection unit 11A.

In step 304, the synchronization range identification unit 12 refers tothe influence range information 191, and acquires the abnormalityinfluence range code 1913 and the influence range 1914 corresponding tothe abnormality code 1911 acquired in step 303. Subsequently, thesynchronization range identification unit 12 determines whether thesynchronization recovery processing can be executed based on theinfluence range 1914. Specifically, the synchronization rangeidentification unit 12 determines that the synchronization recoveryprocessing cannot be executed when the influence range 1914 cannot besynchronized, and otherwise determines that the synchronization recoveryprocessing can be executed.

In step 305, the synchronization processing execution determination unit16 proceeds to step 306 when it is determined in step 304 that thesynchronization recovery processing can be executed, and proceeds tostep 312 when it is determined in step 304 that the synchronizationrecovery processing cannot be executed. In step 306, the influence rangeof the specific recency information 1923 is identified based on theinfluence range 1914 read in step 304. For example, when the influencerange 1914 is the communication ID, the communication ID 1921 in whichan abnormality has occurred is identified as the influence range.Moreover, for example, when the influence range 1914 is the informationprocessing device, all communication IDs 1921 being managed by thatinformation processing device 1 are identified as the influence range.

In subsequent step 307, the recency information calculation unit 14calculates new recency information in the influence range identified instep 306. For example, the value obtained by adding “1” to the maximumvalue of the synchronization counter 1924 in the influence range andsetting the value of the communication counter to “0” is used as the newrecency information of the communication ID corresponding to theinfluence range. As described above, since the upper bit of the recencyinformation is the synchronization counter and the lower bit is thecommunication counter, even when the value of the communication counteris reset to zero, the value of the recency information will increase byincreasing the value of the synchronization counter 1924.

In subsequent step 308, the message generation unit 15 generates asynchronization request message. This synchronization request messageincludes the recency information 703 calculated in step 307, thesynchronization request communication ID 701, the synchronization targetidentifier 702 indicating the synchronization target range, and the MAC704 calculated based on the foregoing information. In subsequent step309, the communication unit 10 sends the synchronization request messagegenerated in step 308 to the verification-side device 1Q via thecommunication bus 2. In subsequent step 310, the synchronizationprocessing control unit 19 registers the recency information calculatedin step 307 as the recency information 1923 linked to the correspondingcommunication ID 1921 of the recency-related information 192.

In step 311 which is executed when a negative result is obtained in thedetermination of step 302, the synchronization processing control unit19 continues the normal control processing. In step 312 which isexecuted when a negative result is obtained in the determination of step305, the synchronization processing control unit 19 outputs aninstruction of switching to the fail-safe mode of being operated withdegenerated functions. Based on the foregoing steps, the request-sidedevice 1P transmits, to the verification-side device 1Q, thesynchronization request message which is generated when an abnormalityis detected. Subsequently, as shown in FIG. 8 , as a result of receivinga synchronization completion notice from the verification-side device1Q, it is possible to confirm that the synchronization was successful.

Details of Synchronization Verification Side

FIG. 10 is a flowchart showing the detailed processing from step 231 tostep 235 of FIG. 8 . In step 401, the message verification unit 18confirms the synchronization request message received using thecommunication unit 10. Specifically, the message verification unit 18acquires the synchronization target identifier 702 from the receivedsynchronization request message, refers to the communication-relatedinformation 193, and verifies whether there is an communication IDcorresponding to that synchronization target identifier 702. Forexample, when the verification-side device 1Q executing the flowchartshown in FIG. 10 is the second information processing device 1B and thecommunication-related information 193 is the information shown in FIG. 7, whether “0x00d” is included in the communication ID 1931 is verified.

In step 402, the synchronization processing execution determination unit16 proceeds to step 403 upon determining that there is a communicationID corresponding to the synchronization target identifier 702 based onthe verification of step 401, and proceeds to step 409 upon determiningthat there is no corresponding communication ID.

In step 403, foremost, the recency information management unit 13updates the value of the communication counter 1925 corresponding to thecommunication ID 1931 according to predetermined rules. Subsequently,the recency information verification unit 17 acquires the value of thecorresponding synchronization counter 1924 and compares it with thesynchronization counter included in the recency information 703 assignedto the received communication message. Subsequently, the recencyinformation verification unit 17 confirms whether the value of thesynchronization counter included in the received recency information 703is newer than the synchronization counter 1924.

In step S403, furthermore, the message verification unit 18 calculatesthe MAC using the value of the synchronization counter included in therecency information 703 in which the recency has been confirmed, thevalue of the updated communication counter, and the synchronizationrequest communication ID 701. Subsequently, the message verificationunit 18 confirms whether the calculated MAC and the received MAC 704coincide. The message verification unit 18 proceeds to step 409 when itis not possible to confirm that the value of the synchronization counterincluded in the received recency information 703 is newer than thesynchronization counter 1924, or when it is not possible to confirm thatthe calculated MAC and received MAC 704 coincide, and otherwise proceedsto step 404.

In step 404, the recency information management unit 13 updates therecency information confirmed in step 403 as the new recencyinformation. In subsequent step 405, the synchronization processingcontrol unit 19 identifies the communication ID 1931 identified in step401 as the synchronization target range. In subsequent step 406, therecency information management unit 13 registers the recency informationupdated in step 404 as the recency information linked to thecommunication ID 1931 of the synchronization target range identified instep 405.

In subsequent step 407, the message generation unit 15 generates asynchronization completion message including the synchronizationcompletion ID, and the information processing device ID. In subsequentstep 408, the communication unit 10 transmits the synchronizationcompletion message generated in step 407 to the other informationprocessing devices via the communication bus 2, and then ends theprocessing shown in FIG. 10 . In step 409, the synchronizationprocessing control unit 19 discards the received synchronization requestmessage, and then ends the processing shown in FIG. 10 .

According to the first embodiment described above, the following effectsare yielded.

(1) An information processing device 1 transmits and receives a messageto which a communication ID indicating a class has been assigned. Theinformation processing device 1 comprises a a storage unit 19A whichstores, for each of the communication IDs, a communication counter 1925for verifying a recency of a communication, a recency informationmanagement unit 13 which updates the communication counter based on apredetermined condition, an abnormality monitoring unit 11 whichidentifies an influence range of an abnormality that occurred, and amessage generation unit 15 which generates a synchronization requestmessage including the communication ID indicating that it is a messagerequesting a synchronization of the communication counter, and asynchronization target identifier indicating the influence rangeidentified by the abnormality monitoring unit. Thus, it is possible totarget only a specific information processing device 1 to besynchronized, and devices that do not need to be synchronized canoperate normally.

(2) The storage unit 19 stores influence range information 191indicating a correspondence of abnormality type and an influence range.The abnormality monitoring unit 11 identifies the influence range basedon the identified abnormality type and the influence range information191. Thus, it is possible to synchronize with a suitable deviceaccording to the abnormality type.

(3) The storage unit 19 stores a synchronization counter 1924 used forverifying the synchronization of the communication counter 1925. Therecency information management unit 13 decides a value of thecommunication counter after the synchronization and a value of thesynchronization counter 1924 after the synchronization. Thesynchronization request message includes information indicating thevalue of the communication counter 1925 after the synchronization andthe value of the synchronization counter 1924 after the synchronization.Thus, values of the counters after synchronization can be matchedexactly.

(4) When there are a plurality of the communication IDs to besynchronized, the recency information management unit 13 decides thevalue of the synchronization counter 1924 after the synchronizationbased on a largest value of the synchronization counter 1924 amongvalues of the synchronization counter 1924 corresponding to theplurality of communication IDs to be synchronized. Thus, synchronizationcan be performed efficiently.

(5) When there are a plurality of the communication IDs to besynchronized, the recency information management unit 13 adds 1 to alargest value of the synchronization counter 1924 among values of thesynchronization counter 1924 corresponding to the plurality ofcommunication IDs to be synchronized and sets an obtained value as thevalue of the synchronization counter 1924 after the synchronization, andsets the value of the communication counter 1925 after thesynchronization to zero.

(6) The synchronization target identifier 702 includes informationindicating the communication ID to be synchronized, or informationindicating an information processing device in which an abnormalityoccurred. Thus, since each information processing device 1 that receivedthe synchronization request message can determine whethersynchronization is necessary, there is no particular need to change thesynchronization request message even when the number of informationprocessing devices 1 connected to the communication bus 2 is increased,and the network configuration can be changed easily.

(7) Upon receiving a message, the recency information management unit 13increments by one the value of the communication counter correspondingto the communication ID included in the received message. When thecommunication ID included in the received message is other than thecommunication ID indicating that it is a message requesting thesynchronization of the communication counter, the recency informationmanagement unit 13 confirms the recency of the received message bycomparing the value of the communication counter 1925 included in thereceived message, and the value of the communication counter 1925 afterbeing incremented by one with the recency information management unit13.

Modified Example 1

In the foregoing embodiment, the abnormality detection unit 11A wasequipped in the information processing device 1. Nevertheless, theinformation processing device 1 does not need to comprise theabnormality detection unit 11A, and the abnormality detection unit 11Amay also be equipped in another device connected to the communicationbus 2. In the foregoing case, the abnormality monitoring unit 11receives the abnormality code 1911 from the abnormality detection unit11A equipped in the other device.

Modified Example 2

The communication bus 2 may also be a communication bus whichcorresponds to a communication protocol other than CAN such as IEEE802.3, MOST, or FlexRay. When the communication bus 2 corresponds toIEEE 802.3, the communication ID may be combination of a destination IPaddress and a source IP address, or information included in the payload.For example, the communication ID explained in this embodiment may beincluded in a specific area of the payload of the packet of IEEE 802.3,and used. In other words, the communication ID is not limited to theinformation stored in the header part of the communication protocol.

Modified Example 3

The RAM 19B of the information processing device 1 does not need tostore slot information. In the foregoing case, the normal message willstore a communication ID or a device ID, and not a slot ID.

Modified Example 4

In the foregoing embodiment, the information processing device 1 wasmounted on an in-vehicle network. Nevertheless, the mounting site of theinformation processing device 1 is not limited thereto, and may also beapplied to a control system or an information system.

Modified Example 5

Rather than including the value of the communication counter after thesynchronization in the synchronization request message, a predeterminedvalue, such as zero, may also be used.

Second Embodiment

The second embodiment of the information processing device is nowexplained with reference to FIG. 11 to FIG. 13 . In the followingexplanation, the same reference numerals are assigned to the sameconstituent elements as the first embodiment, and the differences willbe mainly explained. If no particular explanation is provided, then itis the same as the first embodiment. This embodiment differs from thefirst embodiment mainly with respect to the point that a managementdevice exists on the communication bus.

FIG. 11 is a configuration diagram of a network N including theinformation processing device 1 according to the second embodiment.Connected to the network N are a first information processing device 1A,a second information processing device 1B, a third informationprocessing device 1C, a fourth information processing device 1D, a fifthinformation processing device 1E, a sixth information processing device1F, a seventh information processing device 1G, an eighth informationprocessing device 1H, a ninth information processing device 1I, and amanagement device 950. In the following explanation, when the firstinformation processing device 1A, the second information processingdevice 1B, the third information processing device 1C, the fourthinformation processing device 1D, the fifth information processingdevice 1E, the sixth information processing device 1F, the seventhinformation processing device 1G, the eighth information processingdevice 1H, and the ninth information processing device 1I are notdifferentiated, they will be collectively referred to as the informationprocessing device 1.

The first information processing device 1A, the second informationprocessing device 1B, and the third information processing device 1C areconnected to a first segment 21. The fourth information processingdevice 1D, the fifth information processing device 1E, and the sixthinformation processing device 1F are connected to a second segment 22.The seventh information processing device 1G, the eighth informationprocessing device 1H, and the ninth information processing device 1I areconnected to a third segment 23. The management device 950 is connectedto the first segment 21, the second segment 22, and the third segment23.

The management device 950 transmits a communication message receivedfrom a certain segment to another segment. However, the managementdevice 950 decides the segment to which a synchronization requestmessage is to be transmitted based on the contents thereof as describedlater. In other words, the management device 950 may not transmit asynchronization request message, which coincides with a specificcondition, to a certain segment.

In FIG. 11 , inside each information processing device 1, a message IDassigned to a communication message to be transmitted by thatinformation processing device 1 is indicated as “transmission ID”, and amessage ID assigned to a communication message received by thatinformation processing device 1 is indicated as “reception ID”. Forexample, the transmission ID of the first information processing device1A is “0x001” and “0x002”, and the reception ID of the first informationprocessing device 1A is “0x003” and “0x005”. Since the informationprocessing device 1 to receive the communication message having an ID of“0x001” transmitted by the first information processing device 1A is theinformation processing device 1 having a reception ID of “0x001”, thisinformation processing device 1 corresponds to the second informationprocessing device 1B and the seventh information processing device 1G.

The management device 950 stores in advance information of the ID of thecommunication message transmitted and received in the respectivesegments. However, the management device 950 does not need to storeinformation of the transmission ID and the reception ID in units of therespective information processing devices 1. In FIG. 11 , thecommunication ID to be transmitted and received by the seventhinformation processing device 1G is indicated in bold letters forexplaining the operational example described later.

Configuration of Management Device 950

FIG. 12 is a configuration diagram of the management device 950. Themanagement device 950 comprises a communication unit 951, a transferunit 952, and a storage unit 960. The communication unit 951 is, forexample, a communication interface corresponding to a CAN, andcommunicates with the first segment 21, the second segment 22, and thethird segment 23. The transfer unit 952 is realized, for example, by aCPU reading a program stored in a ROM not shown into a RAM and executingsuch program. When the management device 950 receives a synchronizationrequest message from one of the segments, the transfer unit 952transfers the synchronization request message only to the segment towhich belongs the information processing device 1 to synchronize thecommunication counter based on the synchronization request message. Theoperation of the transfer unit 952 will be described later.

The storage unit 960 is a non-volatile storage device such as a flashmemory, and stores an destination correspondence table 961, networkinformation 962, and slot information 963. The destinationcorrespondence table 961 is information indicating the correspondence ofthe synchronization request communication ID 701 and the destinationinformation processing device 1 in a case where the synchronizationrequest communication ID can be assigned to each information processingdevice 1. The network information 962 is the information shown in FIG.11 . In other words, the network information 962 is information of theaffiliated segment, transmission ID and reception ID of each informationprocessing device 1. The slot information 963 is information of the slotID included in the communication message and is, for example, thecorrespondence of the slot ID and the communication ID of thecommunication ID slot, and the correspondence of the slot ID and thedevice ID of the device ID slot shown in FIG. 2 .

Operation of Management Device 950

FIG. 13 is a flowchart showing the operation of the transfer unit 952 ofthe management device 950. In step 501, the management device 950determines whether the synchronization request communication ID has beenassigned to each information processing device. As explained in thefirst embodiment, whether or not the synchronization requestcommunication ID has been assigned to each information processing deviceis restricted by the number of available communication IDs and thenumber of available information processing devices 1 or other factors,and is a matter of design of the network. Thus, whether thesynchronization request communication ID has been assigned to eachinformation processing device is decided in advance, and suchinformation is stored in the storage unit 960 of the management device950. The management device 950 proceeds to step 502 upon obtaining apositive result in the determination of step 501, and proceeds to step503 upon obtaining a negative result in the determination of step 503.

In step 502, the management device 950 refers to the destinationcorrespondence table 961, and identifies the information processingdevice 1 corresponding to the synchronization request communication ID701 included in the received synchronization request message; that is,the information processing device 1 to become the address of thatsynchronization request message. Furthermore, the management device 950refers to the network information 962, identifies the segment to whichthe identified information processing device 1 belongs, and thenproceeds to step 510.

In step 503, the management device 950 determines the value of thesynchronization range 801 included in the received synchronizationrequest message. The management device 950 proceeds to step 504 upondetermining that the value of the synchronization range 801 is “0”, andproceeds to step 507 upon determining that the value of thesynchronization range 801 is “1”. In step 504, the management device 950interprets the slot ID stored in the synchronization target slot 802 asbeing the communication slot ID, identifies the communication ID to besynchronized by combining it with the slot information 963, and thenproceeds to step 505. For example, when the slot information 963 is theexample shown in FIG. 2 and the slot ID stored in the synchronizationtarget slot 802 is “1”, the communication ID is identified as being“0x001”.

In step 505, the management device 950 identifies the segment to receivethe communication ID identified in step 504 or step 508. For example,when the identified communication ID is “0x001”, the management device950 refers to the network information 962 and identifies the segmentincluding the information processing device in which the transmission IDor the reception ID is “0x001”. In other words, the first segment 21 towhich the first information processing device 1A and the secondinformation processing device 1B belong, and the third segment 23 towhich the seventh information processing device 1G belongs, areidentified.

In step 507, the management device 950 refers to the device ID 803,identifies the source information processing device 1, and then proceedsto step 505. In subsequent step 508, the management device 950 refers tothe network information 962 and identifies the communication ID relatedto the identified information processing device 1. For example, when theidentified information processing device 1 is the seventh informationprocessing device 1G, for example, the five IDs to be transmitted orreceived by the seventh information processing device 1G shown in FIG.11 are identified.

In step 510 executed subsequent to step 502 or step 505, the managementdevice 950 transmits the same synchronization request message as thereceived synchronization request message to the segment identified instep 502 or step 505. However, the management device 950 does nottransmit the synchronization request message to a segment that hasprevious received that synchronization request message.

Operational Example

Explained is an operation of a case where the seventh informationprocessing device 1G detects an abnormal reset operation of itself(seventh information processing device 1G) and transmits asynchronization request message. In this case, the message ID to betransmitted by the seventh information processing device 1G and the IDto be received by the seventh information processing device 1G need tobe synchronized. Specifically, the IDs indicated in bold letters shownin FIG. 8 to be transmitted or received by the first informationprocessing device 1A, the second information processing device 1B, theeighth information processing device 1H, and the ninth informationprocessing device 1I need to be synchronized. The synchronizationrequest message transmitted by the seventh information processing device1G is directly delivered to the eighth information processing device 1Hand the ninth information processing device 1I belonging to the samethird segment 23. Moreover, this synchronization request message is alsoreceived by the management device 950.

The management device 950 performs the processing described above, andidentifies the first segment 21 and the third segment 23 in step 502 orstep 505. Subsequently, since that synchronization request message wasreceived from the third segment 23 to begin with, in step 510, themanagement device 950 transmits the synchronization request message onlyto the first segment 21 upon excluding the third segment 23 from thedestination. Thus, since the synchronization request message itselftransmitted by the seventh information processing device 1G is notdelivered to the second segment 22, the communication volume of thesecond segment 22 can be reduced.

According to the foregoing second embodiment, the following effects areyielded.

(8) A management device 950 relays a communication of communicationsegments to which the information processing device 1. A plurality ofinformation processing devices 1 are disposed by being divided into twoor more segments. The management device 950 comprises a communicationunit 951 which communicates with each of the two or more segments, and atransfer unit 952 which, upon receiving the synchronization requestmessage, transfers the synchronization request message only to thesegment to which belongs the information processing device tosynchronize the communication counter based on the synchronizationrequest message. Thus, the management device 950 can transmitted thesynchronization request message only to the necessary segments, andinfluence on segments that do not need to be synchronized can beexcluded.

In each of the embodiments and modified examples described above, theencryption key and seed used in the respective devices will suffice soas long as they are safely distributed, managed and updated, and theymay be distributed and updated at an arbitrary timing such at the timeof starting/stopping the engine, at the time of production development,or at the time of maintenance. Each of the embodiments and modifiedexamples described above may be combined with each other. While variousembodiments and modified examples were described above, the presentinvention is not limited to the subject matter thereof. Other modesconsidered to fall within the technical scope of the present inventionare also covered by the present invention.

The disclosure of the following priority application is incorporatedherein by reference. Japanese Patent Application No. 2018-196082 (filedon Oct. 17, 2018)

REFERENCE SIGNS LIST

-   -   1 . . . information processing device    -   10 . . . communication unit    -   11 . . . abnormality monitoring unit    -   12 . . . synchronization range identification unit    -   13 . . . recency information management unit    -   14 . . . recency information calculation unit    -   15 . . . message generation unit    -   16 . . . synchronization processing execution determination unit    -   17 . . . recency information verification unit    -   18 . . . message verification unit    -   19 . . . synchronization processing control unit    -   191 . . . influence range information    -   192 . . . recency-related information    -   193 . . . communication-related information    -   702 . . . synchronization target identifier    -   703 . . . recency information    -   950 . . . management device    -   960 . . . storage unit    -   961 . . . destination correspondence table    -   962 . . . network information    -   963 . . . slot information

The invention claimed is:
 1. An information processing device whichtransmits and receives a message to which a communication ID indicatinga class has been assigned, comprising: a storage unit which stores, foreach of the communication IDs, a communication counter for verifying arecency of a communication; a recency information management unit whichupdates the communication counter based on a predetermined condition; anabnormality monitoring unit which identifies an influence range of anabnormality that occurred; and a message generation unit which generatesa synchronization request message including the communication IDindicating that it is a message requesting a synchronization of thecommunication counter, and a synchronization target identifierindicating the influence range identified by the abnormality monitoringunit, wherein the influence range is related to a communication IDaffected by the abnormality.
 2. The information processing deviceaccording to claim 1, wherein: the storage unit additionally storescorrespondence information indicating a correspondence of an abnormalitytype and the influence range; and the abnormality monitoring unitidentifies the influence range based on the identified abnormality typeand the correspondence information.
 3. The information processing deviceaccording to claim 1, wherein: the storage unit additionally stores asynchronization counter used for verifying the synchronization of thecommunication counter; the recency information management unit decides avalue of the communication counter after the synchronization and a valueof the synchronization counter after the synchronization; and thesynchronization request message additionally includes informationindicating the value of the communication counter after thesynchronization and the value of the synchronization counter after thesynchronization.
 4. The information processing device according to claim3, wherein: when there are a plurality of the communication IDs to besynchronized, the recency information management unit decides the valueof the synchronization counter after the synchronization based on alargest value of the synchronization counter among values of thesynchronization counter corresponding to the plurality of communicationIDs to be synchronized.
 5. The information processing device accordingto claim 3, wherein: when there are a plurality of the communication IDsto be synchronized, the recency information management unit adds 1 to alargest value of the synchronization counter among values of thesynchronization counter corresponding to the plurality of communicationIDs to be synchronized and sets an obtained value as the value of thesynchronization counter after the synchronization, and sets the value ofthe communication counter after the synchronization to zero.
 6. Theinformation processing device according to claim 1, wherein: thesynchronization target identifier includes information indicating thecommunication ID to be synchronized, or information indicating aninformation processing device in which an abnormality occurred.
 7. Theinformation processing device according to claim 1, wherein: uponreceiving a message, the recency information management unit incrementsby one the value of the communication counter corresponding to thecommunication ID included in the received message; and when thecommunication ID included in the received message is other than thecommunication ID indicating that it is a message requesting thesynchronization of the communication counter, the recency informationmanagement unit confirms the recency of the received message bycomparing the value of the communication counter included in thereceived message, and the value of the communication counter after beingincremented by one with the recency information management unit.
 8. Amanagement device which relays a communication of communication segmentsto which the information processing device according to claim 1 isconnected, wherein: a plurality of the information processing devicesare disposed by being divided into two or more segments; the managementdevice comprising: a communication unit which communicates with each ofthe two or more segments; and a transfer unit which, upon receiving thesynchronization request message, transfers the synchronization requestmessage only to the segment to which belongs the information processingdevice to synchronize the communication counter based on thesynchronization request message.